Save 37% off PRO during our Black Friday Sale! »

Building Infrastructure you can (mostly) trust

Building Infrastructure you can (mostly) trust

In this talk, I look at how to build codified infrastructure that you can (mostly) trust and highlight important patterns that help in limiting the blast radius of changes.

This version of the talk was given at DevOops in November 2021.

---

Companion Code: github.com/ksatirli/building-infrastructure-you-can-mostly-trust

8c73ec710b03be8909e71ad500866934?s=128

Kerim Satirli
PRO

November 09, 2021
Tweet

Transcript

  1. Building Infrastructure you can (mostly) trust.

  2. TEMP HUM NOISE LUX PAX GATEWAY 1 IN OUT GATEWAY

    2 IN OUT GATEWAY N IN OUT CLOUD INTERNAL
  3. DEADLINE: TBD :) * improve code TO DO

  4. Deployment Guide: SQL Server rev. 12 DEADLINE: ASAP * SQL

    Server (HA) :( TO DO 1 / 23
  5. Deploy for upcoming Exposition? S. Miller to: me, A. Chyornyj

  6. TERMINAL > terraform plan -out="iot.tfplan" Plan: 8 to add, 0

    to change, 0 to destroy. ──────────────────────────────────────── Saved the plan to: iot.tfplan Run the following command to apply: terraform apply "iot.tfplan"
  7. Out-Group external partners General Public OSS contributions You In-Group associated

    teams, rest of organization Neighbours direct teammates
  8. 01 Works On My Machine Trusting Yourself

  9. CODE EDITOR resource "yandex_compute_instance" "exposition" { name = "vdnkh-1" platform_id

    = "standard-v1" zone = var.yandex_zone resources { cores = 20 memory = 48 } boot_disk { auto_delete = true initialize_params { image_id = data.yandex_compute_image.ubuntu.image_id } } !!" Trustable Code
  10. TERMINAL > git log -1 commit dbbb68b7cd862a95467940a3636813117d3bd2cd (HEAD !# main)

    Author: Kerim Satirli <kerim@hashicorp.com> Date: Tue Nov 9 09:41:00 2021 +0200 linting Trustable Code
  11. TERMINAL > git log !$show-signature -1 commit dbbb68b7cd862a95467940a3636813117d3bd2cd (HEAD !#

    main) gpg: Signature made Tue Nov 9 09:41:00 2021 gpg: using RSA key DAC9F8147655C16210FC5BA84E06DF3A215B79A8 gpg: Good signature "kerim@hashicorp.com" Author: Kerim Satirli <kerim@hashicorp.com> Date: Tue Nov 9 09:41:00 2021 +0200 linting Trustable Code
  12. github.com/operatehappy/packer-hashicorp Trustable Code

  13. TERMINAL > terraform validate │ │ Error: Reference to undeclared

    input variable │ │ on compute.tf line 5 │ in resource "yandex_compute_instance" "exposition": │ │ 5: zone = var.yandex_zon │ │ An input variable with the name "yandex_zon" has not been │ declared. │ │ Did you mean "yandex_zone"? │ Validation (basic)
  14. TERMINAL > pre-commit run !$all-files Check for added large files............................Passed

    Check for case conflicts...............................Passed Check for merge conflicts..............................Passed Terraform fmt..........................................Passed Terraform validate.....................................Passed Validation (basic)
  15. TERMINAL > tflint Validation (advanced) 1 issue(s) found: Notice: resource

    name `exposition-test` must match the following format: snake_case (terraform_naming_convention) on compute.tf line 2: 2: resource "yandex_compute_instance" "exposition-test" { Reference: github.com/terraform-linters/tflint/blob/master/ docs/rules/terraform_naming_convention.md
  16. CODE EDITOR Version Pinning terraform { required_providers { yandex =

    { source = "yandex-cloud/yandex" version = "0.66.0" } } required_version = "1.0.10" }
  17. CODE EDITOR Version Pinning terraform { required_providers { yandex =

    { source = "yandex-cloud/yandex" version = "0.66.0" } } required_version = "1.0.10" }
  18. Compatibility Promises https://www.terraform.io/docs/language

    Learn more about the <a href="https://www.terraform.io/docs/language/v1-compatibility-promises.html">Terraform 1.0 Compatibility Promises</a>.
  19. TERMINAL > terraform init Initializing provider plugins!!" - Finding yandex-cloud/yandex

    versions matching "0.66.0"!!" - Installing yandex-cloud/yandex v0.66.0!!" - Installed yandex-cloud/yandex v0.66.0 (key ID E40F590B50BB8E40) Version Pinning
  20. CODE EDITOR Version Pinning providers "registry.terraform.io/yandex-cloud/yandex" { version = "0.66.0"

    constrains = "0.66.0" hashes = [ "h1:oThGd+Ls!!"84poGbY=", "zh:2eb19ceb!!"bc734a96", "zh:3f094b5b!!"3647a69d", "zh:43f1c9f0!!"996adb2c", "zh:44ca4c74!!"928943c9", "zh:609f33ad!!"9f1592ce", "zh:6da9c95b!!"1d179d88", "zh:6deacbba!!"bc2031a1", "zh:77283a62!!"60a436da", "zh:8a12d8cb!!"a683aa4c", "zh:9c91491d!!"2d40e0fc", "zh:b3b37f83!!"4ca284fd", "zh:dc8cd0d2!!"fff4016f", "zh:e298c674!!"f5e72b26", ] }
  21. ▪ formatting ▪ linting ▪ version pinning Works On My

    Machine
  22. 02 Architecture to form Trust Relationships Trusting Your Team

  23. CODE EDITOR variable "yandex_token" { type = string sensitive =

    true description = "IAM token for authentication." }
  24. CODE EDITOR # see registry.terraform.io/providers/yandex-cloud/yandex/latest/docs#zone variable "yandex_zone" { type =

    string default = "ru-1c" # see cloud.yandex.com/en/docs/overview/concepts/geo-scope validation { condition = contains(["ru-1a", "ru-1c"], var.yandex_zone) error_message = "Value must be one of `ru-1a` or `ru-1c`." } }
  25. CODE EDITOR Output output "console_compute_instances_overview" { description = "URL for

    Compute Overview." value = "console.cloud.yandex.com/!!"" } output "yandex_folder_id" { description = "Yandex.Cloud Folder ID." sensitive = true value = var.yandex_folder_id }
  26. TERMINAL > terraform plan Terraform will perform the following actions:

    # yandex_compute_disk.os_disk will be created + resource "yandex_compute_disk" "os_disk" {} # yandex_compute_disk.data_disk will be created + resource "yandex_compute_disk" "data_disk" {} # yandex_compute_instance.main will be created + resource "yandex_compute_instance" "main" {} # yandex_dns_zone.main will be created + resource "yandex_dns_zone" "main" {} Codify Patterns
  27. Codify Patterns https://github.com/im2nguyen/rover

  28. Minimally Viable Pattern Networking Module ▪ Resources – vpc_network –

    vpc_subnet(s) – vpc_security_group ▪ Inputs / Outputs – var.cidr_range – dns_zone – iam_service_account Compute Module ▪ Resources – compute_instance – compute_disk(s) – dns_recordset(s) ▪ Inputs / Outputs – vpc_subnet – dns_zone – iam_service_account IAM Module ▪ Resources – resourcemanager_folder – iam_* ▪ Inputs / Outputs – var.zone – var.folder_id – iam_service_account
  29. TERMINAL > cd module-example !& tree ├── examples ├── CHANGELOG.md

    ├── LICENSE ├── README.md ├── main.tf ├── output.tf ├── terraform.tf └── variables.tf Module Structure
  30. CODE EDITOR resource "yandex_compute_instance" "exposition" { name = "vdnkh-1" platform_id

    = "standard-v1" zone = var.yandex_zone !!" } moved { from = yandex_compute_instance.exposition to = yandex_compute_instance.main } Config-driven Move (Terraform 1.1)
  31. CODE EDITOR Module Defaults module "website" { source = "vdnkh/website/yandex"

    version = "1.0.0" folder_id = var.yandex_folder_id zone = var.yandex_zone }
  32. CODE EDITOR Protecting Secrets provider "yandex" { token = var.yandex_token

    cloud_id = var.yandex_cloud_id folder_id = var.yandex_folder_id zone = var.yandex_zone }
  33. CODE EDITOR Protecting Secrets variable "yandex_token" { type = string

    sensitive = true description = "IAM token for authentication." } output "var.yandex_folder_id" { description = "Yandex.Cloud Folder ID." sensitive = true value = var.yandex_folder_id }
  34. TERMINAL > terraform-docs . README.md updated successfully Generated Docs

  35. Generated Docs git.io/JX2mP

  36. TEMP HUM NOISE LUX PAX GATEWAY 1 IN OUT GATEWAY

    2 IN OUT QUARANTINE CLOUD GATEWAY N IN OUT INTERNAL
  37. ▪ validate your inputs ▪ over-document everything ▪ modularize with

    minimalism in mind Trust Relationships
  38. ▪ slides: ▪ code: Resources speakerdeck.com/ksatirli/building-infrastructure-you-can-mostly-trust github.com/ksatirli/building-infrastructure-you-can-mostly-trust

    Find more resources on <a href="https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust">github.com/ksatirli/building-infrastructure-you-can-mostly-trust</a>.
  39. Sr. Developer Advocate at HashiCorp he/him @ksatirli Kerim Satirli

    Find me on <a href="https://twitter.com/ksatirli">twitter.com/ksatirli</a>.
  40. Thank You @ksatirli kerim@hashicorp.com